Fortnightly - collaborationhttp://www.fortnightly.com/tags/collaboration
enIn the Situation Roomhttp://www.fortnightly.com/fortnightly/2013/06/situation-room
<div class="field field-name-field-import-deck field-type-text-long field-label-inline clearfix"><div class="field-label">Deck:&nbsp;</div><div class="field-items"><div class="field-item even"><p>Presidential attention raises the priority level for cybersecurity.</p>
</div></div></div><div class="field field-name-field-import-byline field-type-text-long field-label-inline clearfix"><div class="field-label">Byline:&nbsp;</div><div class="field-items"><div class="field-item even"><p>By Michael T. Burr, Editor-in-Chief</p>
</div></div></div><div class="field field-name-field-import-bio field-type-text-long field-label-inline clearfix"><div class="field-label">Author Bio:&nbsp;</div><div class="field-items"><div class="field-item even"><p><strong>Michael T. Burr</strong> is <em>Fortnightly’s</em> editor-in-chief. Email him at <a href="mailto:burr@pur.com">burr@pur.com</a></p>
</div></div></div><div class="field field-name-field-import-volume field-type-node-reference field-label-inline clearfix"><div class="field-label">Magazine Volume:&nbsp;</div><div class="field-items"><div class="field-item even">Fortnightly Magazine - June 2013</div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>Since the concept of cybersecurity standards first emerged, sometime around Y2K, the industry and its regulators have engaged in a fascinating tug-of-war. The industry wants standards that are clear but also flexible. Regulators want compliance with the rules, but they know what’s really needed is security and reliability—and that’s not necessarily the result of bare compliance.</p>
<p><i>Fortnightly</i> has closely followed the process of promulgating cybersecurity standards for several years, most recently in our February 2013 issue <i>(See “</i><a href="http://www.fortnightly.com/fortnightly/2013/02/nerc-wire"><i>NERC on a Wire: The reliability organization struggles with reforms, as FERC hovers</i></a><i>,” by Jonathan D. Schneider)</i>. Amid all the technical and operational issues involved with critical infrastructure protection (CIP), one practical issue has posed what seems like an intractable dilemma: the need for collaboration and transparency in a what is a highly complex and sensitive process.</p>
<p>Communication involving security matters is a dual-edged sword. Stakeholders need to freely communicate so they can better understand the nature of security threats. But at the same time, those same stakeholders are loath to share information that could come back to haunt them in some way.</p>
<p>Likewise, CIP standards for utilities are developed in a multi-faceted process that’s meant to accommodate both industry input and strong government oversight. The industry’s private reliability entity, the North American Electric Reliability Corp. (NERC), develops standards under marching orders and authority from the Federal Energy Regulatory Commission (FERC). Meanwhile standard-setting organizations like IEEE and the National Institute of Standards and Technology (NIST) play key roles, and so do interoperability panels and standards committees in various industry sub-sectors. Although this approach might be necessary to make sure all the bases are covered, it’s also a recipe for confusion and uncertainty. And for several years, that’s what utilities have been complaining about—confusion regarding evolving standards, and a nagging sense of uncertainty about their practical application.</p>
<h4>Turning a Corner</h4>
<p>In February, <a href="http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity" target="_blank">President Obama issued an executive order</a> that was intended to overcome these issues once and for all—ordering cabinet-level efforts to improve timely information sharing and collaborative development of CIP standards.</p>
<p>The utility industry received this order with cautious optimism. Wondering whether now, three months later, that effort is bearing any fruit, I asked the three CEOs interviewed for this issue’s cover story for their perspective on security standards and regulation. Is the process working? And specifically, have we turned a corner since the president issued his executive order? Here’s what they said:</p>
<p><b>Thomas V. Shockley, El Paso Electric</b> The nation and certainly infrastructure utilities have got a unique responsibility, because cybersecurity is such a huge issue, and you don’t go a day without hearing what might be perceived as a very secure entity being hacked and bad things happening. We’re all very concerned about that for our system, and we’re all paying a huge amount of attention to creating as secure an environment as we can.</p>
<p>We’re getting a lot of help from people to identify weaknesses in the system, areas we need to shore up. That’s very constructive for everyone. Unfortunately we frequently hear about desire to implement stronger security requirements with little flexibility before there’s much meat on the bone, and we’re left holding the bag as we try to apply new ways to make our system more secure but at the same time the new standards and definitions haven’t come out. What you can and can’t share with regard to security, we need to get some definition around that, and improve the system for everyone concerned.</p>
<p><b>Stephen Berberich, California ISO</b> We follow the national standards on CIP and cybersecurity, and in fact we go well beyond them, which I think is appropriate. I think the federal government has to set some minimum standards, and they need to leave leeway for each institution to figure out the best way to deal with it. Everyone’s platform and system is different. At the federal level we need minimum standards and flexibility.</p>
<p>This isn’t a new thing. Any company like ours gets probed thousands of times a day for vulnerabilities. We use outside firms to test us. We use the defense-in-depth approach, and we keep our critical systems segregated off, behind multiple walls, away from public access.</p>
<p>In terms of standards promulgation, what you see is that the standards created in version 1.0 necessarily must be morphed into further releases as we learn. There are problems with the standards as they exist today. I’m a little concerned they might not get at the heart of some issues, but I think they’re going in the right direction and people are learning from them. The industry is adapting. Among the ISOs, we’ve proposed that the standards should be taken apart to create core standards versus check-the-box standards—so if you’re non-compliant with core standards, that’s the focus versus filling out paperwork.</p>
<p><b>Nick Akins, AEP</b> Recently I had an opportunity to sit in the Situation Room at the White House with the president and other utility executives. We’ve had good communications, and the electric industry has, through the Edison Electric Institute, focused on developing that relationship. Dan Poneman, deputy secretary at DOE, has been very focused on this. We’ve done very well in terms of exchanging information.</p>
<p>After the president’s executive order, we’ve seen advances of security clearances that are necessary so our people can talk to others in the government. Also we’ve seen more emphasis placed on sharing information. We don’t need to know where the threats are coming from, we just need to know what the threats are—and vice-versa [the government needs to know where they’re coming from].</p>
<p>Security is a major challenge for the utility industry. We have an entire floor dedicated to cybersecurity, and five years ago it wasn’t even there. We have to stay on top of it.</p>
<p>EEI put together a CEO group that meets regularly with DOE and others on security, allowing exchange of information so we can be aware of threats. Also the industry has been focusing on learning lessons from Superstorm Sandy. There’s a connection between the resilience of resources associated with a major catastrophic event like Sandy, and what could happen in a cyber event. If there’s an impact on the physical system, we have to understand the system response. How do we respond regionally? How do we supply materials? How do we coordinate between different levels of the government and utilities to effectuate a response? Those also are key questions for cybersecurity from a national standpoint, and that kind of communication is occurring very positively with the president. We’re seeing very good support from this administration.</p>
<p>We have a long way to go, obviously, and with cybersecurity you’re always chasing the next event. But on the back end you have to work on resilience. There’s a lot of activity going on. It’s amazing to me that you can sit with a president and talk about this. A few years ago that wouldn’t have happened.</p>
</div></div></div><div class="field field-name-field-members-only field-type-list-boolean field-label-above"><div class="field-label">Viewable to All?:&nbsp;</div><div class="field-items"><div class="field-item even"></div></div></div><div class="field field-name-field-article-featured field-type-list-boolean field-label-above"><div class="field-label">Is Featured?:&nbsp;</div><div class="field-items"><div class="field-item even"></div></div></div><div class="field field-name-field-department field-type-taxonomy-term-reference field-label-above clearfix"><h3 class="field-label">Department: </h3><ul class="links"><li class="taxonomy-term-reference-0"><a href="/department/frontlines">Frontlines</a></li></ul></div><div class="field field-name-field-image-picture field-type-image field-label-above"><div class="field-label">Image Picture:&nbsp;</div><div class="field-items"><div class="field-item even"><img src="http://www.fortnightly.com/sites/default/files/1306-FR.jpg" width="1500" height="960" alt="" /></div></div></div><div class="field field-name-field-fortnightly-40 field-type-list-boolean field-label-above"><div class="field-label">Is Fortnightly 40?:&nbsp;</div><div class="field-items"><div class="field-item even"></div></div></div><div class="field field-name-field-law-lawyers field-type-list-boolean field-label-above"><div class="field-label">Is Law &amp; Lawyers:&nbsp;</div><div class="field-items"><div class="field-item even"></div></div></div><div class="field field-name-field-tags field-type-taxonomy-term-reference field-label-above clearfix">
<div class="field-label">Tags:&nbsp;</div>
<div class="field-items">
<a href="/tags/cybersecurity">cybersecurity</a><span class="pur_comma">, </span><a href="/tags/y2k">Y2K</a><span class="pur_comma">, </span><a href="/tags/reliability">Reliability</a><span class="pur_comma">, </span><a href="/tags/compliance">compliance</a><span class="pur_comma">, </span><a href="/tags/nerc">NERC</a><span class="pur_comma">, </span><a href="/tags/ferc">FERC</a><span class="pur_comma">, </span><a href="/tags/schneider">Schneider</a><span class="pur_comma">, </span><a href="/tags/critical-infrastructure-protection">Critical infrastructure protection</a><span class="pur_comma">, </span><a href="/tags/cip">CIP</a><span class="pur_comma">, </span><a href="/tags/collaboration">collaboration</a><span class="pur_comma">, </span><a href="/tags/transparency">transparency</a><span class="pur_comma">, </span><a href="/tags/stakeholder">stakeholder</a><span class="pur_comma">, </span><a href="/tags/north-american-electric-reliability-corp-0">North American Electric Reliability Corp.</a><span class="pur_comma">, </span><a href="/tags/federal-energy-regulatory-commission">Federal Energy Regulatory Commission</a><span class="pur_comma">, </span><a href="/tags/ieee">IEEE</a><span class="pur_comma">, </span><a href="/tags/national-institute-standards-and-technology">National Institute of Standards and Technology</a><span class="pur_comma">, </span><a href="/tags/nist">NIST</a><span class="pur_comma">, </span><a href="/tags/interoperability-panels">interoperability panels</a><span class="pur_comma">, </span><a href="/tags/obama">Obama</a><span class="pur_comma">, </span><a href="/tags/thomas-v-shockley">Thomas V. Shockley</a><span class="pur_comma">, </span><a href="/tags/el-paso-electric">El Paso Electric</a><span class="pur_comma">, </span><a href="/tags/infrastructure">Infrastructure</a><span class="pur_comma">, </span><a href="/tags/stephen-berberich">Stephen Berberich</a><span class="pur_comma">, </span><a href="/tags/california-iso">California ISO</a><span class="pur_comma">, </span><a href="/tags/standards">standards</a><span class="pur_comma">, </span><a href="/tags/flexibility">Flexibility</a><span class="pur_comma">, </span><a href="/tags/nick-akins">Nick Akins</a><span class="pur_comma">, </span><a href="/tags/aep">AEP</a><span class="pur_comma">, </span><a href="/tags/edison-electric-institute">Edison Electric Institute</a><span class="pur_comma">, </span><a href="/tags/dan-poneman">Dan Poneman</a><span class="pur_comma">, </span><a href="/tags/doe">DOE</a><span class="pur_comma">, </span><a href="/tags/superstorm-sandy">Superstorm Sandy</a> </div>
</div>
Wed, 29 May 2013 20:48:33 +0000meacott16585 at http://www.fortnightly.com